Virus Alert: If you’re a cryptocurrency trader, this worm can cost you everything.

Blockchain it is the new buzzword on the Net – the brainchild of a person or group of people known as Satoshi Nakamoto. But since its invention it has changed into something of importance to everyone.

What Is Blockchain?

Blockchain allows for digital information to be distributed and not copied. It was originally created to be the foundation of a new type of internet and digital currency known as cryptocurrency.

These currencies go by many names (including Bitcoin) and have been called digital gold. Today the value of this new currency runs into the billions of dollars.

Blockchain technology has been a game changer for the finance industry and crypto-currencies have been trading at record levels this year. Investors find them a great alternative to mine wealth. Unfortunately, other miners find it easier to let you do all the work, then take the proceeds for themselves.

The FacexWorm Attacks Crytocurrency Investors

You can catch the virus called FacexWorm as easily as opening a video link from someone you know via Facebook Messenger. If you get one, you better keep your eyes wide open and your fingers still. If you click it you may regret it, and all of your new blockchain acquisitions might be gone in a second.

The FacexWorm

Cyber security experts are warning users of blockchain technology of a dangerous and invasive Chrome extension being spread through Facebook Messenger. Prime targets are users of blockchain cryptocurrency trading platforms. The mission: access all their account credentials, info and data.

FacexWorm, first showed its ugly face in August of 2017, but apparently it’s being improved because recent versions have a host of new malicious capabilities.

These New FacexWorm Capabilities include:

Stolen account credentials from websites like Google

Invasion of numerous cryptocurrency and trading sites

Redirecting traders to cryptocurrency scams sites

Interjecting web page miners onto cryptocurrency trading platforms

Redirection to a miner’s link for cryptocurrency referral programs so they can not only mine you but also any of your contacts with blockchain currency accounts

Facebook Messenger has now become a favorite target to spread worms and other forms of cyber-destruction.

Other cyber security issues that relate to blockchain attacks are a Monero-cryptocurrency mining bot, called Digmine. It targets Windows and Google Chrome and is spread through Messenger by redirecting crypto-traders to popular video sites like YouTube.

The FacexWorm extension targets only Chrome users so far. If the user does not use Chrome, they will be redirected to a benign useless advertisement.

How FacexWorm Does Its Damage

FacexWorm works by transmitting specifically engineered links via Facebook. If clicked on while using the Chrome browser, FacexWorm redirects you to a bogus YouTube page. To continue, the user must download a fake Chrome extension as a codec extension.

Once installed, the FacexWorm Chrome extension automatically downloads additional modules from its command and control server and creates a replicant clone of Chrome. In addition to its routine functions, the FacexWorm also contains a code snippet that it injects onto the affected system. The destructive new worm spreads every time a new web page is opened.

Researchers reported “FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviors on that webpage. With all permissions accepted at installation the worm can access or modify data for any websites opened.”

How Much Damage Can the FacexWorm Do?

By obtaining a user’s friend list, it can send out bogus YouTube video links and request authorization access to everyone on your list, spreading itself around the globe.

It can capture account credentials and info for Google, MyMonero, and Coinhive, when the user opens a target website login page. It can also install a cryptocurrency miner to any opened web pages, utilizing the user’s own computer to mine Cryptocurrency.

Highjacking

FacexWorm can highjack cryptocurrency related trading transactions by redirecting the keyed-in address and replacing it with the attackers address. When any one of the 52 crypto-currency trading platforms like “blockchain,” “eth-,” or “ethereum” are typed into the URL, FacexWorm redirects to the scam webpage where the hacker can steal any or all of the crypto-coins. Targets include Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet Blockchain.info.

This Blockchain Malware Is Sneaky

FacexWorm is sneaky. To avoid discovery and extraction it immediately closes an opened tab when it detects Chrome is being opened. There is even an incentive for hackers every time a victim registers an account on Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, or HashFlare.

This is only the beginning with just one Bitcoin transaction being recently affected. With the widespread use of Facebook Messenger around the globe, the worm will spread with it. The malware already has surfaced in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain.

Bottom Line

Facebook spam campaigns are nothing new, so it is always smart to be careful, especially with banking and currency sites and the potentially tremendous losses.

Many malicious extensions have already been removed by Chrome, but they keep reappearing so be careful with your currency trading.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.